No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

Examples of managing local files and files on other devices are provided.

Example of Logging In to the Device to Manage Files

Configuration Requirements

After logging in to the device through the console interface, Telnet, or STelnet, perform the following operations:

  • View files and subdirectories in the current directory.
  • Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as backup.zip.
  • View files in the test directory.

Procedure

  1. View files and subdirectories in the current directory.

    <HUAWEI> dir
    Directory of flash:/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-            889  Mar 01 2012 14:41:56   private-data.txt
        1  -rw-          6,311  Feb 17 2012 14:05:04   backup.cfg
        2  -rw-          2,393  Mar 06 2012 17:20:10   vrpcfg.zip
        3  -rw-            812  Dec 12 2011 15:43:10   hostkey
        4  drw-              -  Mar 01 2012 14:41:46   compatible
        5  -rw-            540  Dec 12 2011 15:43:12   serverkey
    ...
    670,092 KB total (569,904 KB free)

  2. Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as backup.zip.

    # Create the test directory.

    <HUAWEI> mkdir test
    Info: Create directory flash:/test/......Done.

    # Copy the vrpcfg.zip file to test and rename vrpcfg.zip as backup.zip.

    <HUAWEI> copy vrpcfg.zip flash:/test/backup.zip 
    Info: Are you sure to copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
    100%  complete
    Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
    NOTE:

    If no destination file name is specified, the destination file is set to the source file name by default.

  3. View files in the test directory.

    # Access the test directory.

    <HUAWEI> cd test

    # View the current working directory.

    <HUAWEI> pwd
    flash:/test/

    # View files in the test directory.

    <HUAWEI> dir
    Directory of flash:/test/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-          2,399  Mar 12 2012 11:16:44   backup.zip
    
    670,092 KB total (569,900 KB free)

Configuration File

None

Example for Managing Files When the Device Functions as an FTP Server

Networking Requirements

As shown in Figure 1-27, PC1 connects to the device, and the IP address of the management network interface on the device is 10.136.23.5. The device needs to be upgraded. The device is required to function as the FTP server to upload the system software from PC1 to the device and save the configuration file to PC1 for backup. A security policy is configured to ensure that only PC1 is allowed to access the FTP server.

Figure 1-27 Network for managing files when the device functions as an FTP server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the FTP function and FTP user information including user name, password, user level, service type, and authorized directory on the FTP server.
  2. Configure access permissions on the FTP server.
  3. Save the vrpcfg.zip file on the FTP server.
  4. Connect to the FTP server on the PC1.
  5. Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.

Procedure

  1. Configure the FTP function and FTP user information on the FTP server.

    <HUAWEI> system-view
    [~HUAWEI] ftp server enable
    [*HUAWEI] aaa
    [*HUAWEI-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [*HUAWEI-aaa] local-user admin1234 level 15
    [*HUAWEI-aaa] local-user admin1234 service-type ftp
    [*HUAWEI-aaa] local-user admin1234 ftp-directory flash:
    [*HUAWEI-aaa] quit
    

  2. Configure access permissions on the FTP server.

    [*HUAWEI] acl number 2001
    [*HUAWEI-acl4-basic-2001] rule permit source 10.136.23.10 32 
    [*HUAWEI-acl4-basic-2001] rule deny source 10.136.23.20 32
    [*HUAWEI-acl4-basic-2001] quit
    [*HUAWEI] ftp server acl 2001
    [*HUAWEI] commit
    [~HUAWEI] quit

  3. Save the vrpcfg.zip file on the FTP server.

    <HUAWEI> save

  4. Connect to the FTP server on the PC1 as the admin1234 user whose password is Helloworld@6789 and transfer files in binary mode.

    Assume that the PC runs the Windows 7 operating system.

    C:\Users\Administrator> ftp 10.136.23.5
    Connected to 10.136.23.5.
    220 FTP service ready.
    User (10.136.23.5:(none)): admin1234
    331 Password required for admin1234.
    Password:
    230 User logged in.
    ftp> binary
    200 Type set to I.
    ftp>

  5. Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.

    # Upload the devicesoft.cc file to the FTP server.

    ftp> put devicesoft.cc
    200 Port command okay.
    150 Opening BINARY mode data connection for /devicesoft.cc
    226 Transfer complete.
    ftp: 107973953 bytes sent in 151.05Seconds 560.79Kbytes/sec.

    # Download the vrpcfg.zip file.

    ftp> get vrpcfg.zip
    200 Port command okay.
    150 Opening BINARY mode data connection for /vrpcfg.zip.
    226 Transfer complete.
    ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
    NOTE:
    The devicesoft.cc file to upload and the vrpcfg.zip file to download are stored in the local directory on the FTP client. Before uploading and downloading files, obtain the local directory on the client. The default FTP user's local directory on the Windows 7 operating system is C:\Users\Administrator.

  6. Verify the configuration.

    # Run the dir command on the FTP server to check the devicesoft.cc file.

    <HUAWEI> dir
    Directory of flash:/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-             14  Mar 13 2012 14:13:38   back_time_a
        1  drw-              -  Mar 11 2012 00:58:54   logfile
        2  -rw-              4  Nov 17 2011 09:33:58   snmpnotilog.txt
        3  -rw-         11,238  Mar 12 2012 21:15:56   private-data.txt
        4  -rw-          1,257  Mar 12 2012 21:15:54   vrpcfg.zip
        5  -rw-             14  Mar 13 2012 14:13:38   back_time_b
        6  -rw-    107,973,953  Mar 13 2012 14:24:24   devicesoft.cc
        7  drw-              -  Oct 31 2011 10:20:28   sysdrv
        8  drw-              -  Feb 21 2012 17:16:36   compatible
        9  drw-              -  Feb 09 2012 14:20:10   selftest
       10  -rw-         19,174  Feb 20 2012 18:55:32   backup.cfg
       11  -rw-         23,496  Dec 15 2011 20:59:36   20111215.zip
       12  -rw-            588  Nov 04 2011 13:54:04   servercert.der
       13  -rw-            320  Nov 04 2011 13:54:26   serverkey.der
       14  drw-              -  Nov 04 2011 13:58:36   security
    ...
    670,092 KB total (569,904 KB free)
                                       
    # Access the FTP user's local directory on the PC and check the vrpcfg.zip file.

Configuration File
#
FTP server enable
FTP server acl 2001
#
acl number 2001
 rule 5 permit source 10.136.23.10 0
 rule 10 deny source 10.136.23.20 0
#
aaa
 local-user admin1234 password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
 local-user admin1234 service-type ftp
 local-user admin1234 level 15
 local-user admin1234 ftp-directory flash:
#
interface MEth0/0/0
 ip address 10.136.23.5 255.255.255.0
#
return

Example for Managing Files Using SFTP When the Device Functions as an SSH Server

Networking Requirements

As shown in Figure 1-28, PC1 connects to the device, and the IP address of the management network interface on the device is 10.136.23.4. Files need to be securely transferred between PC1 and the device. Configure the device as the SSH server to provide the SFTP service so that the SSH server can authenticate the client and encrypt data in bidirectional mode to ensure secure file transfer. A security policy is configured to ensure that only PC1 is allowed to access the SSH server.

Figure 1-28 Network for managing files using SFTP when the device functions as an SSH server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair and enable the SFTP server function on the SSH server so that the server and client can securely exchange data.

  2. Configure SSH user information including the authentication mode, service type, authorized directory, user name, and password.

  3. Configure access permissions on the SSH server to control SSH users.
  4. Connect to the SSH server using the third-party software OpenSSH on the PC.

Procedure

  1. Generate a local key pair on the SSH server, and enable the SFTP server.

    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be: SSH Server_Host
    The range of public key size is (512 ~ 2048).
    NOTE: If the key modulus is greater than 512,
           it will take a few minutes.
    Input the bits in the modulus[default = 2048]:
    [*SSH Server] sftp server enable
    [*SSH Server] commit

  2. Configure SSH user information including the authentication mode, service type, authorized directory, user name, and password.

    [*SSH Server] ssh user client001 authentication-type password
    [*SSH Server] ssh user client001 service-type sftp
    [*SSH Server] ssh user client001 sftp-directory flash: 
    [*SSH Server] aaa
    [*SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
    [*SSH Server-aaa] local-user client001 level 15
    [*SSH Server-aaa] local-user client001 service-type ssh
    [*SSH Server-aaa] quit

  3. Configure access permissions on the SSH server.

    [*SSH Server] acl 2001
    [*SSH Server-acl4-basic-2001] rule permit source 10.136.23.10 32
    [*SSH Server-acl4-basic-2001] rule deny source 10.136.23.20 32
    [*SSH Server-acl4-basic-2001] quit
    [*SSH Server] ssh server acl 2001
    [*SSH Server] commit
    

  4. Connect to the SSH server using the third-party software OpenSSH on the PC.

    The Windows CLI can identify OpenSSH commands only when the OpenSSH is installed on the PC.

    C:/Documents and Settings/Administrator> sftp client001@10.136.23.4
    Connecting to 10.136.23.4...
    The authenticity of host "10.136.23.4 (10.136.23.4)" can't be established.
    RSA key fingerprint is 0d:48:82:fd:2f:52:1c:f0:c4:22:70:80:8f:7b:fd:78.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added "10.136.23.4" (RSA) to the list of known hosts.
    client001@10.136.23.4's password:
    sftp>

    After you connect to the SSH server through third-party software, the SFTP view is displayed. Then you can perform file-related operations in the SFTP view.

Configuration File
#
sysname SSH Server
#
acl number 2001
 rule 5 permit source 10.136.23.10 0
 rule 10 deny source 10.136.23.20 0
#
#
aaa
 local-user client001 password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
 local-user client001 service-type ssh
 local-user client001 level 15
#
sftp server enable
ssh server acl 2001
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
return

Example for Managing Files When the Device Functions as a TFTP Client

Networking Requirements

As shown in Figure 1-29, the remote device at 10.1.1.1/24 functions as the TFTP server. The device at 10.2.1.1/24 functions as the TFTP client. Routes between the device and the server are reachable.

The device needs to be upgraded. To upgrade the device, you must download system software devicesoft.cc from and upload the configuration file vrpcfg.zip to the TFTP server.

Figure 1-29 Network for managing files when the device functions as a TFTP client

Configuration Roadmap

The configuration roadmap is as follows:

  1. Run the TFTP software on the TFTP server and configure the working directory.
  2. Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP server.

Procedure

  1. Run the TFTP software on the TFTP server and configure the working directory. (For details, see the appropriate third-party documentation.)
  2. Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP server.

    <HUAWEI> tftp 10.1.1.1 get devicesoft.cc
    Info: Transfer file in binary mode.
    Please wait for a while...
    /    107973953 bytes transferred
    Info: Downloaded the file successfully.
    <HUAWEI> tftp 10.1.1.1 put vrpcfg.zip 
    Info: Transfer file in binary mode.
    Please wait for a while...
    /     100% [***********]
    Info: Uploaded the file successfully. 

  3. Verify the configuration.

    # Run the dir command on the TFTP client to check the devicesoft.cc file.

    <HUAWEI> dir
    Directory of flash:/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-             14  Mar 13 2012 14:13:38   back_time_a
        1  drw-              -  Mar 11 2012 00:58:54   logfile
        2  -rw-              4  Nov 17 2011 09:33:58   snmpnotilog.txt
        3  -rw-         11,238  Mar 12 2012 21:15:56   private-data.txt
        4  -rw-          7,717  Mar 12 2012 21:15:54   vrpcfg.zip
        5  -rw-             14  Mar 13 2012 14:13:38   back_time_b
        6  -rw-    107,973,953  Mar 13 2012 14:24:24   devicesoft.cc
        7  drw-              -  Oct 31 2011 10:20:28   sysdrv
        8  drw-              -  Feb 21 2012 17:16:36   compatible
        9  drw-              -  Feb 09 2012 14:20:10   selftest
       10  -rw-         19,174  Feb 20 2012 18:55:32   backup.cfg
       11  -rw-         43,496  Dec 15 2011 20:59:36   20111215.zip
       12  -rw-            588  Nov 04 2011 13:54:04   servercert.der
       13  -rw-            320  Nov 04 2011 13:54:26   serverkey.der
       14  drw-              -  Nov 04 2011 13:58:36   security
    ...
    670,092 KB total (569,904 KB free)
                                       
    # Access the working directory on the TFTP server and check the vrpcfg.zip file.

Configuration File

None

Example for Managing Files When the Device Functions as an FTP Client

Networking Requirements

As shown in Figure 1-30, the remote device at 10.1.1.1/24 functions as the FTP server. The device at 10.2.1.1/24 functions as the FTP client. Routes between the device and the server are reachable.

The device needs to be upgraded. To upgrade the device, you must download system software devicesoft.cc from and upload the configuration file vrpcfg.zip to the FTP server.

Figure 1-30 Network for managing files when the device functions as an FTP client

Configuration Roadmap

The configuration roadmap is as follows:

  1. Run the FTP software on the FTP server and configure FTP user information.
  2. Connect to the FTP server.
  3. Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP server.

Procedure

  1. Run the FTP software on the FTP server and configure FTP user information. (For details, see the appropriate third-party documentation.)
  2. Connect to the FTP server.

    <HUAWEI> ftp 10.1.1.1
    Trying 10.1.1.1 ...
    Press CTRL + K to abort
    Connected to 10.1.1.1.
    220 FTP service ready.
    User(10.1.1.1:(none)):admin
    331 Password required for admin.
    Enter password:
    230 User logged in.
                      
    [ftp] 

  3. Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP server.

    [ftp] binary
    [ftp] get devicesoft.cc
    [ftp] put vrpcfg.zip
    [ftp] quit
    

  4. Verify the configuration.

    # Run the dir command on the FTP client to check the devicesoft.cc file.

    <HUAWEI> dir
    Directory of flash:/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-             14  Mar 13 2012 14:13:38   back_time_a
        1  drw-              -  Mar 11 2012 00:58:54   logfile
        2  -rw-              4  Nov 17 2011 09:33:58   snmpnotilog.txt
        3  -rw-         11,238  Mar 12 2012 21:15:56   private-data.txt
        4  -rw-          7,717  Mar 12 2012 21:15:54   vrpcfg.zip
        5  -rw-             14  Mar 13 2012 14:13:38   back_time_b
        6  -rw-    107,973,953  Mar 13 2012 14:24:24   devicesoft.cc
        7  drw-              -  Oct 31 2011 10:20:28   sysdrv
        8  drw-              -  Feb 21 2012 17:16:36   compatible
        9  drw-              -  Feb 09 2012 14:20:10   selftest
       10  -rw-         19,174  Feb 20 2012 18:55:32   backup.cfg
       11  -rw-         43,496  Dec 15 2011 20:59:36   20111215.zip
       12  -rw-            588  Nov 04 2011 13:54:04   servercert.der
       13  -rw-            320  Nov 04 2011 13:54:26   serverkey.der
       14  drw-              -  Nov 04 2011 13:58:36   security
    ...
    670,092 KB total (569,904 KB free)
                                       
    # Access the working directory on the FTP server and check the vrpcfg.zip file.

Configuration File

None

Example for Managing Files When the Device Functions as an SFTP Client

Networking Requirements

SSH secures file transfer on a traditional insecure network by authenticating the client and encrypting data in bidirectional mode. The client uses SFTP to securely connect to the SSH server and transfer files.

As shown in Figure 1-31, routes between the SSH server and clients client001 and client002 are reachable. In this example, Huawei device functions as an SSH server.

Client001 connects to the SSH server using the password authentication mode, and client002 using the RSA authentication mode.

Figure 1-31 Example for managing files when the device functions as an SFTP client

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair and enable the SFTP server function on the SSH server so that the server and client can securely exchange data.
  2. Create users client001 and client002 and set their authentication modes on the SSH server.
  3. Generate a local key pair on client002 and configure the RSA public key of client002 on the SSH server so that the server can authenticate the client when the client connects to the server.
  4. Log in to the SSH server as users client001 and client002 using SFTP and manage files.

Procedure

  1. Generate a local key pair and enable the SFTP server function on the SSH server.

    <HUAWEI> system-view 
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be: SSH Server_Host
    The range of public key size is (512 ~ 2048).
    NOTE: Key pair generation will take a short while. 
    Input the bits in the modulus[default = 2048]:
    [*SSH Server] sftp server enable

  2. Create SSH users on the SSH server.

    NOTE:

    There are eight authentication modes for an SSH user: password, RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, and all.

    # Create the client001 user and set the authentication mode to password for the user.

    [*SSH Server] aaa
    [*SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
    [*SSH Server-aaa] local-user client001 service-type ssh
    [*SSH Server-aaa] local-user client001 level 3
    [*SSH Server-aaa] quit
    [*SSH Server] ssh user client001
    [*SSH Server] ssh user client001 authentication-type password
    [*SSH Server] ssh user client001 service-type sftp
    [*SSH Server] ssh user client001 sftp-directory flash:

    # Create an SSH user named client002 and set the authentication mode to rsa for the user.

    [*SSH Server] ssh user client002
    [*SSH Server] ssh user client002 authentication-type rsa
    [*SSH Server] ssh user client002 service-type sftp
    [*SSH Server] ssh user client002 sftp-directory flash:
    [*SSH Server] commit

  3. Generate a local key pair on client002 and configure the RSA public key of client002 on the SSH server.

    # Generate a local key pair on client002.

    <HUAWEI> system-view
    [~HUAWEI] sysname client002
    [*HUAWEI] commit
    [~client002] rsa local-key-pair create
    The key name will be: client002_Host
    The range of public key size is (512 ~ 2048).
    NOTE: Key pair generation will take a short while. 
    Input the bits in the modulus[default = 2048]:
    [*client002] commit

    # Check the RSA public key of the client.

    [~client002] display rsa local-key-pair public
    ======================Host key==========================                        
    Time of key pair created : 2013-12-31 15:12:55                                  
    Key name                 : client002_Host                                     
    Key type                 : RSA encryption key                                   
    ========================================================                        
    Key code:                                                                       
                                                                                    
    3082010A                                                                        
      02820101                                                                      
        00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB                                
        D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415                                
        D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F                                
        E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7                                
        F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D                                
        B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B                                
        03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278                                
        AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D                                
        FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5                                
        26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87                                
        2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493                                
        646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1                                
        32693DE5 4B103442 8E0F4DAD 2598BE5E 19                                      
      0203                                                                          
        010001                                                                      
                                                                                    
    Host public key for PEM format code:                                            
    ---- BEGIN SSH2 PUBLIC KEY ----                                                 
    AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR                
    9mIThFCBDGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFa                
    GFjQ3kn3853Xp3eV8rnJVi6LWYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOu                
    wKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpMGFapNWiUmY37+oj/FwjDpn4J                
    I2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QXOAzQsAvF                
    lJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z                            
    ---- END SSH2 PUBLIC KEY ----                                                   
                                                                                    
    Public key code for pasting into OpenSSH authorized_keys file:                  
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR9mIThFCB
    DGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFaGFjQ3kn3853Xp3eV8rnJVi6L
    WYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOuwKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpM
    GFapNWiUmY37+oj/FwjDpn4JI2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QX
    OAzQsAvFlJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z rsa-key            
                                                                                    
    Host public key for SSH1 format code:                                           
    2048 65537 236971124413139156319984288497536917252384365713827178486564880047083
    02866675194095544776508873997960548048841766597899221781207733133848970914713928
    28996004245822852803836714700943127999689047385488621429620451220818329195189110
    44627924473325589610211286495160847469700225224727330419812554974023662258093557
    32253356530604204661994692461537162488266865503068109888451979934584121229462202
    99002021617008946509458750457763675382539063769320928471946630989015406430341622
    09710384777571208677081418917796143037155088929085835685542621042018894949429238
    03185678585506551054443213719809345206348891449836326333433071427097            
                                                                                    
    ======================Server key========================                        
    Time of key pair created : 2013-12-31 15:12:57                                  
    Key name                 : client002_Server                                   
    Key type                 : RSA encryption key                                   
    ========================================================                        
    Key code:                                                                       
                                                                                    
    3081B9                                                                          
      0281B1                                                                        
        00EAFFFB 6C891574 65E8614F 8394F843 ACE02D5D                                
        DBE171A9 B74FEA28 502DB177 72132898 86BACF0F                                
        B1B5066D 91B9EE44 341EAFBF 81413C4E 7052FC47                                
        F0B13BED 7AEF53B1 D2D3278B F127D9D2 4702692C                                
        7FDA7A58 8BC38D5D 71BBE824 4D40B042 147F6032                                
        1EF5DFFF D1D74993 E9F1F4CC E8378FC0 A2FC1ACC                                
        818A2AC9 ABFB7D04 DFAAC592 9D027C9B 8ED40567                                
        6314872C 65A71789 EF76ADD6 98653CDD B12309FD                                
        4D329476 2B726A5E ABACC229 23980F75 75                                      
      0203                                                                          
        010001                                            

    # Configure the RSA public key of client002 on the SSH server. (Information in bold in the display command output is the RSA public key of client002. Copy the information to the server.)

    [~SSH Server] rsa peer-public-key rsakey001
    [*SSH Server-rsa-public-key] public-key-code begin
    [*SSH Server-rsa-public-key-rsa-key-code] 3082010A
    [*SSH Server-rsa-public-key-rsa-key-code] 02820101
    [*SSH Server-rsa-public-key-rsa-key-code] 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
    [*SSH Server-rsa-public-key-rsa-key-code] D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
    [*SSH Server-rsa-public-key-rsa-key-code] D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
    [*SSH Server-rsa-public-key-rsa-key-code] E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
    [*SSH Server-rsa-public-key-rsa-key-code] F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
    [*SSH Server-rsa-public-key-rsa-key-code] B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
    [*SSH Server-rsa-public-key-rsa-key-code] 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278
    [*SSH Server-rsa-public-key-rsa-key-code] AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
    [*SSH Server-rsa-public-key-rsa-key-code] FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
    [*SSH Server-rsa-public-key-rsa-key-code] 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
    [*SSH Server-rsa-public-key-rsa-key-code] 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
    [*SSH Server-rsa-public-key-rsa-key-code] 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
    [*SSH Server-rsa-public-key-rsa-key-code] 32693DE5 4B103442 8E0F4DAD 2598BE5E 19
    [*SSH Server-rsa-public-key-rsa-key-code] 0203
    [*SSH Server-rsa-public-key-rsa-key-code] 010001
    [*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
    [*SSH Server-rsa-public-key] peer-public-key end

    # Bind the client002 user to the RSA public key of client002.

    [*SSH Server] ssh user client002 assign rsa-key rsakey001
    [*SSH Server] commit

  4. Connect SFTP clients to the SSH server.

    # If the clients connect to the SSH server for the first time, enable the initial authentication function on the clients.

    Enable the initial authentication function on client001.

    <HUAWEI> system-view
    [~HUAWEI] sysname client001
    [*HUAWEI] commit
    [~client001] ssh client first-time enable
    [*client001] commit

    Enable the initial authentication function on client002.

    [~client002] ssh client first-time enable
    [*client002] commit

    # Log in to the SSH server from client001 in password authentication mode.

    [~client001] sftp 10.1.1.1 
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server's public key does not match the one cached before. 
    The server is not authenticated. Continue to access it? [Y/N]:y
    The keyname:10.1.1.1 already exists. Update it? [Y/N]:n  
    
    Please input the username: client001
    Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r  
    Enter password:
    sftp-client>

    # Log in to the SSH server from client002 in RSA authentication mode.

    [~client001] sftp 10.1.1.1 
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server's public key does not match the one cached before. 
    The server is not authenticated. Continue to access it? [Y/N]:y
    The keyname:10.1.1.1 already exists. Update it? [Y/N]:n  
    
    Please input the username: client002
    Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r  
    sftp-client>

  5. Verify the configurations.

    Run the display ssh server status commands. You can see that the SFTP service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

    # Check the SSH server status.

    [~SSH Server] display ssh server status
    SSH Version                                : 2.0                                
    SSH authentication timeout (Seconds)       : 60                                 
    SSH authentication retries (Times)         : 3                                  
    SSH server key generating interval (Hours) : 0                                  
    SSH version 1.x compatibility              : Disable                            
    SSH server keepalive                       : Enable                             
    SFTP server                                : Enable                             
    STelnet server                             : Enable                             
    SNETCONF server                            : Disable                            
    SNETCONF server port(830)                  : Enable                             
    SCP server                                 : Disable                            
    SSH server DES                             : Disable                            
    SSH server port                            : 22                                 
    SSH server source address                  : 0.0.0.0  
    ACL name                                   : --                                 
    ACL number                                 : --                                 
    ACL6 name                                  : --                                 
    ACL6 number                                : --                                 

    # Check information about SSH users.

    [~SSH Server] display ssh user-information
    --------------------------------------------------------------------------------
    User Name             : client001                                               
    Authentication type   : password                                                
    User public key name  : --                                                      
    User public key type  : --                                                      
    Sftp directory        : flash:                                                  
    Service type          : sftp                                                    
                                                                                    
    User Name             : client002                                               
    Authentication type   : rsa                                                     
    User public key name  : --                                                      
    User public key type  : --                                                      
    Sftp directory        : flash:                                                  
    Service type          : sftp  
    --------------------------------------------------------------------------------
    Total 2, 2 printed 

Configuration Files
  • Configure file on the SSH server

    #
    sysname SSH Server
    #
    rsa peer-public-key rsakey001
     public-key-code begin
     3082010A                                                                       
      02820101                                                                      
        00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081     
        0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3     
        1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F     
        6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6     
        6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D     
        FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E     
        4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96     
        BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E     
        19                                                                          
      0203                                                                          
        010001  
     public-key-code end
     peer-public-key end
    #
    aaa
     local-user client001 password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
     local-user client001 service-type ssh
     local-user client001 level 3 
    #
    sftp server enable
    ssh user client001
    ssh user client001 authentication-type password
    ssh user client001 service-type sftp
    ssh user client001 sftp-directory flash:
    ssh user client002
    ssh user client002 authentication-type rsa 
    ssh user client002 assign rsa-key rsakey001
    ssh user client002 service-type sftp
    ssh user client002 sftp-directory flash: 
    #
    return
  • Configuration file on client001

    #
    sysname client001
    #
    ssh client first-time enable
    #
    return 
  • Configuration file on client002

    #
    sysname client002
    #
    ssh client first-time enable
    #
    return

Example for Managing Files When the Device Functions as an SCP Client

Networking Requirements

Compared to the SFTP protocol, the SCP protocol combines the process of authenticating user identity and transferring files, improving configuration efficiency.

As shown in Figure 1-32, routes between the device functioning as the SCP client and the SSH server are reachable. The SCP client can download files from the SSH server.

Figure 1-32 Network for managing files when the device functions as an SCP client
Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair on the SSH server.

  2. Create an SSH user on the SSH server.

  3. Enable the SCP function on the SSH server.

  4. Download files from the SSH server.

Procedure

  1. Generate a local key pair on the SSH server.

    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be: SSH Server_Host
    The range of public key size is (512 ~ 2048).
    NOTE: Key pair generation will take a short while.
    Input the bits in the modulus [default = 2048]:  1024
    

  2. Create an SSH user on the SSH server.

    # Configure the VTY user interface.

    [*SSH Server] user-interface vty 0 4
    [*SSH Server-ui-vty0-4] authentication-mode aaa
    [*SSH Server-ui-vty0-4] protocol inbound ssh
    [*SSH Server-ui-vty0-4] quit

    # Create an SSH user named client001 and set the authentication mode to password and service type to all.

    [*SSH Server] ssh user client001
    [*SSH Server] ssh user client001 authentication-type password
    [*SSH Server] ssh user client001 service-type all

    # Set the password of the client001 user to HuaWei@123.

    [*SSH Server] aaa
    [*SSH Server-aaa] local-user client001 password irreversible-cipher HuaWei@123
    [*SSH Server-aaa] local-user client001 service-type ssh
    [*SSH Server-aaa] local-user client001 level 3 
    [*SSH Server-aaa] quit
    

  3. Enable the SCP function on the SSH server.

    [*SSH Server] scp server enable
    Info: Succeeded in starting the SCP server.   
    [*SSH Server] commit

  4. Download the backup.cfg file from the SSH server.

    # If the client connects to the SSH server for the first time, enable the initial authentication function on the client.

    <HUAWEI> system-view
    [~HUAWEI] sysname SCP Client
    [*HUAWEI] commit
    [~SCP Client] ssh client first-time enable
    [*SCP Client] commit

    # Use the 3des encryption algorithm to download the backup.cfg file from the remote SSH server with IP address 10.1.1.1 to the local user's directory.

    [~SCP Client] scp -cipher 3des client001@10.1.1.1:backup.cfg backup.cfg
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
     Continue to access it? [Y/N]:y
     [Y/N]:y
    The server's public key will be saved with the name 10.1.1.1. Please wait...
    
    Enter password:
    backup.cfg                     100%        19174Bytes            7Kb/s

Configuration File
  • Configuration file on the SSH server

    #
    sysname SSH Server
    #
    aaa
     local-user client001 password irreversible-cipher $#z$!9S<a#>H7{7dI>%0S{AcKGC=t:zjv14LlQqHO\\P.*=<x1]u;y*P`'GR3[m}$
     local-user client001 service-type ssh
     local-user client001 level 3 
    #
    scp server enable
    ssh user client001
    ssh user client001 authentication-type password
    ssh user client001 service-type all  
    #
    user-interface vty 0 4
     authentication-mode aaa
     protocol inbound ssh       
    #
    return
  • Configuration file on the SCP client

    #
    sysname SCP Client
    #
     ssh client first-time enable
    #
    return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59157

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next